Bug 25749

Summary: gnupg2 new security issue CVE-2019-14855
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, lists.jjorge, mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-32-OK MGA7-64-OK
Source RPM: gnupg2-2.2.17-1.mga7.src.rpm CVE: CVE-2019-14855
Status comment:

Description David Walser 2019-11-26 12:15:46 CET 
GnuPG 2.2.18 has been released on November 25:
https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html

Changes include the following:
  * gpg: Prepare against chosen-prefix SHA-1 collisions in key
    signatures.  This change removes all SHA-1 based key signature
    newer than 2019-01-19 from the web-of-trust.  Note that this
    includes all key signature created with dsa1024 keys.  The new
    option --allow-weak-key-signatues can be used to override the new
    and safer behaviour.  [#4755,CVE-2019-14855]
Comment 1 Stig-Ørjan Smelror 2019-11-26 15:46:55 CET 
Advisory
========

GnuPG has been updated to fix a security issue (CVE-2019-14855).

Changes include the following:
  * gpg: Prepare against chosen-prefix SHA-1 collisions in key
    signatures.  This change removes all SHA-1 based key signature
    newer than 2019-01-19 from the web-of-trust.  Note that this
    includes all key signature created with dsa1024 keys.  The new
    option --allow-weak-key-signatues can be used to override the new
    and safer behaviour.


References
==========
https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html

Files
=====

Uploaded to core/updates_testing

gnupg2-2.2.18-1.mga7

from gnupg2-2.2.18-1.mga7.src.rpm

Assignee: smelror => qa-bugs
CVE: (none) => CVE-2019-14855

Comment 2 José Jorge 2019-11-29 11:06:53 CET 
Tested with enigmail on thunderbird, all ok.

CC: (none) => lists.jjorge

José Jorge 2019-11-29 11:07:03 CET

Whiteboard: (none) => MGA7-32-OK

Comment 3 PC LX 2019-11-29 16:36:04 CET 
Installed and tested without issue.

Tested using kleopatra, kmail and gpg cli. Tested sign, verify, encrypt, decrypt, search key, refresh keys, import, export, list keys.

$ uname -a
Linux marte 5.3.13-desktop-2.mga7 #1 SMP Mon Nov 25 20:30:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q gnupg2
gnupg2-2.2.18-1.mga7

Whiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OK
CC: (none) => mageia

Comment 4 Thomas Andrews 2019-11-29 21:52:22 CET 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-11-30 12:45:24 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2019-11-30 14:07:57 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0348.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED